ZKsync, an Ethereum Layer-2 scaling solution, has disclosed a security compromise in which $5 million in unclaimed airdrop tokens were stolen. The problem occurred after an administrative wallet that manages the airdrop contracts was compromised. The breach, described as an “isolated attack,” has raised worries about the security of token distribution in the zk-rollup market. During last year’s 21 billion token airdrop, the project received criticism for unequal token allocation and poor Sybil protection.

How the Exploit Happened

On April 15, ZKsync revealed a security breach related to unauthorized use of an admin wallet. The attacker exploited a privileged function in the airdrop distribution contracts to mint approximately 111 million unclaimed ZK tokens, valued at approximately $5 million, significantly boosting the circulating supply by 0.45%. According to ZKsync’s official statement on X (formerly Twitter), the exploit stemmed from misuse of the ‘sweepUnclaimed()’ function, which had access to unallocated tokens from the ongoing airdrop initiative. 

ZKsync confirmed that

“The attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts.” 

The team reassured the community that the breach was isolated, noting that 

“this incident is contained to the airdrop distribution contracts only, and all the funds that could be minted have been minted. No further exploits via this method are possible.”

ZKsync underlined that the attack did not affect any user cash or fundamental smart contracts, and that “necessary security measures are being taken,” as well as a complete investigation into the issue to assess it and prevent future weaknesses. 

Additional examination by security researchers revealed that the vulnerability was facilitated by weak controls around privileged functions. Critics emphasized the compromised admin wallet’s absence of comprehensive multisignature (multisig) security, which if addressed beforehand may have minimized or completely averted the breach.

ZKsync is collaborating with the Security Alliance (SEAL) on recovery work, confirming that its token contracts and governance are not impacted, and no other exploits are feasible through the “sweepUnclaimed()” vector. The overall value of Ethereum’s layer-2 protocol based on zero-knowledge rollups is now locked onto the ZKsync Era platform, worth $57.3 million. On April 15, the company was airdropping 17.5% of its token supply to members of the ecosystem.

Market Reaction and Damage Assessment

The market reacted fast to the hack, with ZK tokens losing over 13.7% of their value in only 24 hours, falling from $0.046 to $0.039. Trading volume increased by 96% to $71 million, indicating significant selloffs and fear on decentralized exchanges.

Further investigation revealed that the attacker quickly swapped the stolen tokens for ETH to hide their tracks, routing the proceeds through multiple wallets. As of present, approximately 44 million of the stolen tokens, worth approximately $2.1 million, remain unaccounted for, while 2,200 ETH (approximately $3.4 million) can still be traced.

Broader Implications for DeFi Security

This event highlights the significance of strong security measures in DeFi platforms. As the ecosystem evolves, securing the integrity of administrative controls is critical to preserving user trust and protecting assets. ​

The ZKsync hack serves as a sharp reminder of the vulnerabilities that can exist in smart contract systems, particularly those involving administrative responsibilities. As DeFi platforms grow and attract more users, extensive security audits and strong governance procedures become increasingly important.

The post Ethereum Layer-2 ZKsync Confirms $5 Million Theft via Compromised Airdrop Admin Account appeared first on Coinfomania.